Unified user identification with automatic mapping and database absence handling

ABSTRACT

An identification system that may be used in heterogeneous computing environments provides a fail-free path to providing identifiers from a single canonical namespace. Objects or gateways requiring an identifier for access are accessed using an identifier for the canonical namespace. If an entity requests access using an identifier from another namespace, an external database is consulted to determine if a mapping exists for the identifier to another identifier the canonical namespace. If no mapping exists, or the external database is unavailable, then an identifier is automatically generated in the canonical namespace and is used for the access. An internal database is updated with the automatically generated identifier, providing a mechanism to add mappings without administrative intervention. To access resources requiring an identifier from another particular namespace, a canonical namespace identifier may be mapped to another identifier in the particular namespace, or a generic identifier may be used.

CROSS-REFERENCE TO RELATED APPLICATION(S)

The present application is a continuation of U.S. patent applicationSer. No. 14/147,675, filed on Jan. 6, 2014; which is a continuation ofU.S. Pat. No. 8,700,664, issued on Apr. 15, 2014; which is acontinuation of U.S. Pat. No. 8,447,780, issued on May 21, 2013; whichis a continuation of U.S. Pat. No. 8,180,794, issued on May 15, 2012;and which is a continuation of U.S. Pat. No. 8,086,633 on Dec. 27, 2011,which are incorporated herein in their entirety by reference.

TECHNICAL FIELD

This disclosure relates to security authentication in computer systems,and more specifically to an authentication system that provides unifieduser identification across multiple namespaces.

BACKGROUND

In networked computer systems, and in particular, in heterogeneousnetworking environments across multiple operating systems, entityauthentication presents a management challenge. Entities, or in thepresent context, security principals, may be individual users, groups,particular machines, and the like. Entities are typically externallyidentified by a user ID or name that provides a symbolic tag, butinternally, a numeric tag is typically associated with the entity as apractical measure. The numeric tag then provides a uniform identifier inthe particular environment, such as security identifier objects (SIDs)used in Microsoft WINDOWS, or group and user identifiers as used inUNIX-type operating systems. (UNIX is a trademark of The Open Group.)Application programming interfaces (APIs) that access secured objectsgenerally require such a numeric tag as an input, either directly orimplicitly, as do gateways such as network portals.

Typically, an external database is used to map an entity identifier fromone namespace to all of the various namespaces that the entity mightencounter. An entity should be able to access the same set of objectsirrespective of the operating system, network, machine, etc. from whichan access occurs. Therefore, a large number of mappings may be requiredto and from various namespaces associated with various operatingsystems, machines and in some instances particular sub-systems orapplications. Such identifier mappings have several drawbacks. First,the database must typically be fully populated before use, which is alabor-intensive process and has a high barrier to entry. Second, thereliance on an external database is a security vulnerability that iscontinuously exposed. Finally, it is frequently impractical to query aplatform-specific database from a different platform, making theinterface to the external database awkward for at least some of theaccess paths.

Therefore, it would be desirable to provide an identification method andsystem that provides uniform identification, can provide automaticpopulation of identifiers and that adapts easily to access paths fromdifferent platforms.

SUMMARY

The invention is embodied in a computer-performed method, computerprogram product and computer system that authenticates entitiesgenerating accesses in a computer system.

Accesses to objects or gateways in the computer system, which may be anetwork of computers executing different operating systems, is madeusing canonical identifiers from a single namespace. Accesses directlyspecifying an identifier from the canonical namespace are made directly,while accesses made with identifiers from other namespaces are looked upin an external mapping database to obtain corresponding identifiers inthe canonical namespace. If the external mapping database is notavailable or the identifier is not already present, a new identifier isautomatically generated and used for the present access, and generallyan entire session. The automatically-generated identifier is stored inan internal database and used for subsequent accesses by the sameentity, making it possible to automatically populate the canonicalnamespace. The external database, if available, can be periodicallypolled to determine if the entity obtains an identifier in the samenamespace mapped to by an automatically generated mapping, indicating aconflict. The external database lookup results are used to resolve theconflict.

Accesses to objects or gateways requiring an identifier from anotherparticular namespace may be handled by a database lookup that obtains anidentifier in the particular namespace that corresponds to theidentifier from the canonical namespace. Alternatively, a genericidentifier from the particular namespace may be assigned to all accessesfrom the canonical namespace.

These and other aspects of the present disclosure are disclosed in thefollowing detailed description of the embodiments, the appended claimsand the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is best understood from the following detailed descriptionwhen read in conjunction with the accompanying drawings. It isemphasized that, according to common practice, the various features ofthe drawings are not to-scale. On the contrary, the dimensions of thevarious features are arbitrarily expanded or reduced for clarity.

FIG. 1 is a block diagram illustrating a networked computer system inwhich techniques according to an embodiment of the present invention arepracticed.

FIG. 2 is a pictorial diagram showing accesses to objects and therelationship of identifier namespaces within the system of FIG. 1.

FIG. 3 is a flow chart of a method in accordance with an embodiment ofthe present invention.

DETAILED DESCRIPTION

The present invention relates to computer security systems, andspecifically identification of entities, including users, groups, andthe like between systems and software requiring identifiers fromdiffering namespaces. A canonical namespace is managed such that afail-free path is provided for accesses made via identifiers from othernamespaces. When an identifier from another namespace is used for theaccess, an external mapping database is consulted to determine if acorresponding identifier from the canonical namespace is present in theexternal database. If the external database is not available, or thecorresponding identifier is not present in the external database, anidentifier in the canonical namespace is automatically generated. Thegenerated identifiers are stored in an internal database, making itpossible to populate the internal database automatically. Accessesrequiring identifiers from another namespace can be made using acanonical identifier to look up corresponding identifiers in the othernamespace, or by assigning a generic identifier in the anothernamespaces to identifiers in the canonical namespace. The externaldatabase can be periodically polled to discover any new or changedmappings for identifiers of interest. If a new or changed externalmapping is discovered that conflicts with an existing automaticallygenerated mapping stored in the internal database, the external mappingis used.

Referring now to FIG. 1, a networked computer system in which anembodiment of the present invention is practiced is depicted in a blockdiagram. A first workstation computer system 10A includes a processorCPU coupled to a memory MEM that contains program instructions forexecution by CPU, including a virtual file system (VFS) interface 11A,which provides a native file system interface to the particularoperating system executed by workstation computer system 10A, forexample the WINDOWS operating system. Workstation computer system 10A isalso depicted as including a graphical display Display and input devicesInput Devices, such as mice and keyboards, for interacting with userinterfaces including login screens and other user interfaces forinteracting with other computers connected to the network, for example,administration screens for administering identification andauthorization profiles used by the techniques of the present invention.

Workstation computer system also includes a hard disc controller HDC 14that interfaces processor CPU to local storage device 17A and a networkinterface that couples workstation computer system 10A to network 15,which may be fully wireless, fully wired or any type of hybrid network.VFS interface 11A provides a uniform set of application programminginterfaces (APIs) that provide access to resources, such as localstorage device 17A or remote storage such as storage devices 17B and17C, which are coupled to network 15 by network disc controller (NWDC)18. An external mapping database DB, external to the VFS, providesstorage for traditional administrative mapping information as will bedescribed in further detail below, and which may be a single database,or comprise multiple databases. An internal mapping database IDBprovides for storage of automatically-generated identifier mappings andis internal to the VFS, which means that internal database IDB is ownedby the VFS and is not generally accessible to other sub-systems. Anotherworkstation computer system 10B, having an internal organization similarto that depicted in workstation computer system 10A, is coupled tonetwork 15 and executes a different operating system, e.g., UNIX. Adifferent VFS client 11B is provided and executed within workstationcomputer system 10B to provide suitable native APIs for accessingstorage within workstation computer system 10B, networked storagedevices 17B and 17C, as well as local storage device 17A withinworkstation computer system 10A, if local storage device 17A is shared.

Network 15 may include wireless local area networks (WLANs), wiredlocal-area networks (LANs), wide-area networks (WANs) or any othersuitable interconnection that provides communication between workstationcomputer systems 10A and 10B, local storage devices 17A-17C, externaldatabase DB and any other systems and devices coupled to network 15.Internal database DB is generally a file stored within a storage device,such as one of local storage devices 17A-17C, and is thereby accessibleby file system interface objects 11A and 11B over network 15. Further,the present invention concerns identification functionality that is notlimited to a specific computer system or network configuration. Finally,the specification workstation computer systems 10A and 10B and thelocation of their specific memory MEM and file system interface objects11A and 11B does not imply a specific client-server relationship orhierarchical organization, as the techniques of the present inventionmay be employed in distributed systems in which no particular machine isidentified as a server, but at least one of the machines provides aninstance and functionality of an object or interface that performsidentification in accordance with an embodiment of the presentinvention. The objects or interfaces process accesses according tomethods and structures of the present invention, as described in furtherdetail below.

Referring now to FIG. 2, a pictorial diagram illustrating a relationshipbetween identifiers and interfaces within the system of FIG. 1 is shown.The depicted structure is only one of many possible program structuresfor implementing the identification methodology described herein, and isprovided as an example of an embodiment of a structure in accordancewith an embodiment of the present invention, performing an exemplary setof accesses. An input/output request (IORQ) IORQ 1 is received at VFSinterface 11A and has associated with it, an entity identifier ID1 fromsystem 1 namespace 21A, e.g., a security identifier (SID) as is used inWindows operating systems. In the example, I/O request IORQ 1 targetsstorage device 17, which contains a UNIX-based file system image. Inorder to access target storage device 17, a suitable identifier must beprovided when VFS interface 11A passes I/O request IORQ 1 along to thefile system driver managing storage device 17. In order to provide theidentifier, VFS interface 11A (or a remote object or service called byVFS interface 11A) queries database DB for an entry matching identifierID1. If database DB is available, and the entry is present, the memberC(ID1) of canonical namespace 22 corresponding to identifier ID1 isobtained from database DB1. Otherwise, a new identifier is automaticallygenerated C′(ID1) in a reserved portion 24 of canonical namespace 22. Inpractice, identifiers such as identifier C′(ID1) are not generated foreach access, rather internal database IDB stores all such automaticallygenerated identifiers, so that subsequent accesses by the same entitywill be mapped by internal database IDB directly to canonical namespace22. A reserved portion 24 of canonical namespace 22 is used to ensurethat no overlap of automatically-generated identifiers occurs withanother identifier already being used, e.g., by a mapping in externaldatabase DB. In the exemplary embodiment, the automatically-generatedidentifiers are constructed by incrementing a counter, as other than theuniqueness of each identifier, no special significance nor informationis contained in the identifier itself, only the mapping to thecorresponding identifiers e.g. identifier ID1 in the other namespace(s)is important in general. However, alternative techniques such as hashingor other computation may be used to generate the automatically-generatedidentifiers. Once identifier C′(ID1) is generated, it is stored ininternal database IDB for future use, since any files that become ownedor are created by the entity identified by identifier C′(ID1) willrequire the owner.

In the depicted example, for generality, the file system driver managinglocal storage device 17 is depicted as requiring identifiers fromcanonical namespace 22. However, under certain circumstances, anidentifier from canonical namespace 22 or another namespace may beneeded as a return value to the originating platform. For example, whena query from a WINDOWS operating system is made to obtain the owner of afile which in WINDOWS is a security identifier sd.SID. In order toprovide a security identifier for a file having an owner identified onlyin canonical namespace 22, a conversion algorithm 26 may be used togenerate an artificial, but compatible, security identifier sd.SID fromcanonical ID C′(ID1). Alternatively, a dummy or generic identifiercompatible with namespace 21A may be provided from VFS interface 11A inresponse to a request for an owner identifier of a file whose owner isnot identified in namespace 21A.

It is understood that the techniques illustrated above apply to objectaccesses in general, and storage devices/files are only an illustrativeexample of an object type for which access may be mapped according toembodiments of the present invention. Further, it is understood that themapping provided by the above-described technique is not a 1:1 securitymapping, but for automatically-generated identifiers, can provide somelevel of access, e.g., that level of access available to non-ownernon-group members in UNIX. However, once the identifiers are populatedin database DB in traditional administrative fashion, or automaticallygenerated and stored in internal database IDB, permissions can besubsequently tailored to the entity's needs. For example, a user mayaccess a UNIX storage device from a WINDOWS operating systemtemporarily, receiving access to directories such as /tmp via identifierID1 mapped to automatically-generated canonical namespace identifierC′(ID1). Subsequently the entity can arrange for an administrator to setpermissions for accessing /usr/entity1, providing the same permissionsas entity 1 has under their normal UNIX account, for example.

Referring now to FIG. 3, a method in accordance with an embodiment ofthe present invention is illustrated in a flowchart. In the depictedmethod, an access attempt including an identifier ID is received by asubsystem (step 40). If the ID is from the canonical namespace (decision41), then the access is made using the ID from the canonical namespace(step 48). (The illustrative embodiment of FIG. 3 presumes that theultimate access is made from the canonical namespace, so no secondlookup is required.) If the ID is not from the canonical namespace(decision 41), a check is performed to determine if external database DBis present (decision 42). If external database DB is present (decision42), then a lookup is performed in database DB to obtain thecorresponding identifier to identifier ID in the canonical namespace(step 43). If the ID maps to the canonical namespace (decision 44), thenthe access is made with the ID retrieved from database DB in thecanonical namespace (step 48). If external database DB is not present(decision 42) or the ID is not mapped to the canonical namespace inexternal database DB (decision 44), then a lookup is performed ininternal database to determine if a previously auto-generated mapping tothe canonical namespace is already present for the entity (decision 46).If a previous auto-generated mapping exists (decision 46), the access isthen made using the ID from the canonical namespace retrieved frominternal database IDB (step 48). If a previous auto-generated mappingdoes not exist (decision 46), an ID in the canonical namespace isautomatically generated for the entity and stored in internal databaseIDB (step 47), then the access is made using the new ID from thecanonical namespace (step 48).

While the invention has been described in connection with certainembodiments, it is to be understood that the invention is not to belimited to the disclosed embodiments but, on the contrary, is intendedto cover various modifications and equivalent arrangements includedwithin the scope of the appended claims, which scope is to be accordedthe broadest interpretation so as to encompass all such modificationsand equivalent structures as is permitted under the law.

What is claimed is:
 1. A computer-performed method for controllingaccess to a resource in a computer system, the method comprising: withinthe computer system receiving an internal input/output request to accessa resource of the computer system, the request including a firstidentifier associated with an entity, wherein access to the resourcerequires a security identifier from a canonical namespace; determiningwhether or not the first identifier is a member of the canonicalnamespace containing identifiers used to access resources in thecomputer system; responsive to determining that the first identifier isa member of the canonical namespace, accessing the resource using thefirst identifier; responsive to determining that the first identifier isnot a member of the canonical namespace, whereby the first identifier isdetermined to not be an identifier that can be used to directly accessthe resource, determining whether the first identifier has a mapping toa second identifier that is a member of the canonical namespace, whereinthe mapping is stored in an internal database; responsive to determiningthat the first identifier is not a member of the canonical namespace anddoes have a mapping to the canonical namespace stored in the internaldatabase, obtaining the second identifier for the entity within thecanonical namespace from an entry in the internal database correspondingto the first identifier; responsive to obtaining the second identifierfrom the entry in the internal database, accessing the resource usingthe second identifier; responsive to determining that the firstidentifier is not a member of the canonical namespace, and does not havea mapping to the canonical namespace stored in the internal database,automatically generating a third identifier for the entity within thecanonical namespace and storing the third identifier in the internaldatabase for further identification of the entity; and responsive togenerating and storing the third identifier, accessing the resourceusing the third identifier.
 2. The computer-performed method of claim 1,wherein the receiving receives a request to access an resource notdirectly accessible using an identifier from the canonical namespace butotherwise accessible using a fourth identifier from another namespace,wherein the first identifier is a member of the canonical namespace, andwherein the method further comprises: obtaining the fourth identifier inthe another namespace using the first identifier; and responsive toobtaining the fourth identifier, accessing an object using the fourthidentifier.
 3. The computer-performed method of claim 2, wherein theobtaining comprises automatically generating the fourth identifier inthe another namespace, wherein the fourth identifier is a uniqueidentifier generated to correspond to the first identifier.
 4. Acomputer system comprising: a processor for executing programinstructions; and a memory coupled to the processor for executing theprogram instructions, wherein the program instructions include programinstructions for controlling access to a resource in the computersystem, including program instructions that receive, within the computersystem, an internal input/output request to access a resource, therequest including a first identifier associated with an entity, whereinaccess to the resource requires a security identifier from a canonicalnamespace, program instructions that determine whether or not the firstidentifier is a member of the canonical namespace containing identifiersused to access resources in the computer system, program instructionsthat, responsive to determining that the first identifier is a member ofthe canonical namespace, accessing the resource using the firstidentifier, program instructions that, responsive to determining thatthe first identifier is not a member of the canonical namespace, wherebythe first identifier is determined to not be an identifier that can beused to directly access the resource, determine whether the firstidentifier has a mapping to a second identifier that is a member of thecanonical namespace, wherein the mapping is stored in an internaldatabase of the computer system, program instructions that, responsiveto determining that the first identifier is not a member of thecanonical namespace and does have a mapping to the canonical namespacestored in the internal database, obtain the second identifier for theentity within the canonical namespace from an entry in the internaldatabase corresponding to the first identifier, program instructionsthat, responsive to obtaining the second identifier from the entry inthe internal database, access the resource using the second identifier,program instructions that, responsive to determining that the firstidentifier is not a member of the canonical namespace and does not havea mapping to the canonical namespace stored in the internal database,automatically generate a third identifier for the entity within thecanonical namespace and store the third identifier in the internaldatabase for further identification of the entity, and programinstructions that, responsive to generating and storing the thirdidentifier, accessing the resource using the third identifier.
 5. Thecomputer system of claim 4, wherein the program instructions forreceiving receive a request to access a resource not directly accessibleusing an identifier from the canonical namespace but otherwiseaccessible using a fourth identifier from another namespace, wherein thefirst identifier is a member of the canonical namespace, and wherein theprogram instructions further comprise program instructions for:obtaining the fourth identifier in the another namespace using the firstidentifier; and responsive to obtaining the fourth identifier, accessingan object using the fourth identifier.
 6. The computer system of claim5, wherein the program instructions for obtaining comprise programinstructions for automatically generating the fourth identifier in theanother namespace, wherein the fourth identifier is a unique identifiergenerated to correspond to the first identifier.
 7. A computer programproduct comprising computer-readable memory that is not a signal or acarrier wave storing program instructions for execution within acomputer system, wherein the program instructions include programinstructions for controlling access to a resource in the computersystem, wherein the program instructions comprise program instructionsfor: within the computer system, receiving an internal input/outputrequest to access a resource, the request including a first identifierassociated with an entity, wherein access to the resource requires asecurity identifier from a canonical namespace; determining whether ornot the first identifier is a member of the canonical namespacecontaining identifiers used to access resources in the computer system;responsive to determining that the first identifier is a member of thecanonical namespace, accessing the resource using the first identifier;responsive to determining that the first identifier is not a member ofthe canonical namespace, whereby the first identifier is determined tonot be an identifier that can be used to directly access the resource,determining whether the first identifier has a mapping to a secondidentifier that is a member of the canonical namespace, wherein themapping is stored in an internal database; responsive to determiningthat the first identifier is not a member of the canonical namespace anddoes have a mapping to the canonical namespace stored in the internaldatabase, obtaining the second identifier for the entity within thecanonical namespace from an entry in the internal database correspondingto the first identifier; responsive to obtaining the second identifierfrom the entry in the internal database, accessing the resource usingthe second identifier; responsive to determining that the firstidentifier is not a member of the canonical namespace and does not havea mapping to the canonical namespace stored in the internal database,automatically generating a third identifier for the entity within thecanonical namespace and storing the third identifier in the internaldatabase for further identification of the entity; and responsive togenerating and storing the third identifier, accessing the resourceusing the third identifier.
 8. The computer program product of claim 7,wherein the program instructions for receiving receive a request toaccess a resource not directly accessible using an identifier from thecanonical namespace but otherwise accessible using a fourth identifierfrom another namespace, wherein the first identifier is a member of thecanonical namespace, and wherein the program instructions furthercomprise program instructions for: obtaining the fourth identifier inthe another namespace using the first identifier; and responsive toobtaining the fourth identifier, accessing an object using the fourthidentifier.
 9. The computer program product of claim 8, wherein theprogram instructions for obtaining comprise program instructions forautomatically generating the fourth identifier in the another namespace,wherein the fourth identifier is a unique identifier generated tocorrespond to the first identifier.